Non-Meraki IPSEC Tunnel configuration

AjitKumar
Head in the Cloud

Non-Meraki IPSEC Tunnel configuration

Hi Friends,

 

Is the following configuration possible on MX100 (IPSec)

The Customer is going to connect to their client's network (The client's network might have ASA / Fortigate).

 

Question 1

  • From Branch-1 to Client-1 Site-to-Site VPN (IKEv1) on Primary ISP
  • From Branch-1 to Client-1 Site-to-Site VPN (IKEv1) on Secondary ISP
  • From Branch-1 to Client-2 Site-to-Site VPN (IKEv1) on Primary ISP
  • From Branch-1 to Client-2 Site-to-Site VPN (IKEv1) on Secondary ISP
  • From Branch-1 to Client-3 Site-to-Site VPN (IKEv2) on Primary ISP
  • From Branch-1 to Client-3 Site-to-Site VPN (IKEv2) on Secondary ISP
  • From Branch-1 to Client-4 Site-to-Site VPN (IKEv2) on Primary ISP
  • From Branch-1 to Client-4 Site-to-Site VPN (IKEv2) on Secondary ISP

Question 2

Also please confirm NAT (Network Address Translation) is possible over Site-to-Site VPN Phase2 as interesting traffic?

 

Question 3

SSL based remote access VPN is possible? If yes, please confirm the SSL VPN traffic can be rerouted to existing Site-to-Site VPN of Branch-1 clients

Example:

  • End User-1 connect branch-1 SSL VPN and access Client-1 Site-to-Site VPN (IKEv1)
  • End User-2 connect branch-1 SSL VPN and access Client-3 Site-to-Site VPN (IKEv2)

Regards Ajit

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
1 Reply 1
Sushil
Meraki Employee
Meraki Employee

Answer 1 

 IKEv2 is supported 15.12 onwards. Non Meraki VPN tunnels are established using the Primary WAN Interface. It will failover and establish using WAN2. You need to make sure that the VPN Peer has WAN2 IP configured.

 

Answer 2 

 Its not supported for Non-Meraki VPN tunnels. AutoVPN tunnels have NAT available.

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

 

Answer 3

SSL VPN is not supported yet

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels